Flawed Sprint Security Worse Than We Thought

By consumerist.comApril 9, 2008

In the comments on our post exposing a flaw in Sprint’s online account security that would let a stranger completely take control of your cellphone account, a former Sprint rep says it’s even weaker than what we thought. How? Reader Dragonfire81 says that every question about cars has three luxury models and one typical car, making it pretty easy to guess. “None of the above” for “which properties have you owned” was correct 99% of the time. And worst of all, you only need to answer two of the questions correctly to gain access to an account. “I was shocked at the number of times I was able to access an account by simply guessing the answers,” he writes. “Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.” Here’s his comment in full:

I’m a former Sprint rep, I worked with this “3 questions” system numerous times.

I was shocked at the number of times I was able to access an account by simply guessing the answers. Fortunately I am an ethical person, but if I wasn’t I could’ve done a LOT of damage very easily.

In every question pertaining to cars, it was always three Luxury models plus one typical one (Peugeot, Porsche, Ferrari and Ford for example) which made them stupidly easy to guess.

In addition the “none of the above” answer for “which properties have you owned?” was correct 99% of the time.

On top of that, one thing the article does not mention is that you are only required to answer TWO of the three questions correctly to gain access to an account. The system won’t tell you which ones were right and wrong, but you need only answer TWO of three to get access.

This new process is more trouble than it’s worth if you ask me and I’d like to find the person who came up with it and give him a good punch to the head.

But don’t blame Sprint for all of this, some people truly don’t give a crap about the security on their accounts. When asking customers to setup a 6-digit pin number most just wanted to set it to 111111 or 123456. Pretty secure huh?